A  combined  arms  approach 
to  defending  Army  networks 


By  Russell  Fenton 

In  the  face  of  new  cyberspace  challenges,  we  must 
adopt  new  ways  of  defending  our  networks. 

If  change  cannot  be  enacted,  we  will  find  our¬ 
selves  mired  on  the  bitter  trail  of  defeated  militaries 
that  failed  to  adapt  to  changing  environments  at  the 
time  and  pace  necessary. 

We  can  hear  faint  rumblings  and  see  the  cracks 
in  the  walls  of  our  network  security.  The  defenses  in 
confidentiality,  integrity,  and  availability  of  the  in¬ 
formation  modified,  exchanged,  and  stored  by  Army 
networks  and  information  systems  is  under  continu¬ 
ous  attack.  The  incident  related  to  Operation  Buck¬ 
shot  Yankee  was  only  one  "known"  out  of  hundreds 
or  thousands  of  "unknowns";  and  in  the  end,  tera¬ 
bytes  (maybe  even  petabytes)  of  data  are  exfiltrated 
from  Army  networks  on  a  yearly  basis. 

Now  that  we  are  fully  aware  of  the  continuous 
threats  and  some  loses  of  security  in  cyberspace,  we 
must  use  this  opportunity  to  develop  and  gain  sup¬ 
port  for  a  different  approach  to  defending  our  net¬ 
works  against  a  myriad  of  threats. 

Cyberspace  is  defined  as  "a  global  domain  within 
the  information  environment  consisting  of  the  in¬ 
terdependent  network  of  information  technology 
infrastructures,  including  the  internet,  telecommuni¬ 
cations  networks,  computer  systems,  and  embedded 
processors  and  controllers."  Given  the  inclusion  of  the 
terms  "information  technology  infrastructures"  and 


"telecommunications  networks"  within  the  cyber¬ 
space  definition,  along  with  the  fact  that  JP  6-0  (Joint 
Communication  Systems)  states  "The  GIG  operates, 
through  cyberspace,  as  a  globally  interconnected, 
end-to-end,  interoperable  network-of -networks...," 
there  should  exist  no  doubt  that  Army  networks  are 
the  land  forces'  application  of  the  cyberspace  domain. 

As  it  has  for  more  than  a  decade,  the  Army 
depends  on  cyberspace  [the  LandWarNet]  to  function 
and  create  the  necessary  effects  to  gain  an  information 
advantage  over  adversaries  of  the  U.S.  It  is  difficult 
to  overstate  this  reliance.  Commanders  and  leaders 
at  all  echelons,  whether  CONUS  or  OCONUS,  have 
come  to  rely  on  cyberspace  to  collaborate,  gain  situ¬ 
ational  awareness,  plan,  and  conduct  mission  com¬ 
mand  at  net  speed  through  the  full  range  of  military 
operations.  The  Department  of  Defense  has  recog¬ 
nized  this  reliance  on  cyberspace;  and  subsequently 
in  July  2011,  it  published  a  strategy  that  directs  the 
services  to  treat  cyberspace  as  an  operational  domain 
(as  relevant  a  domain  as  land,  sea,  air,  and  space)  to 
organize,  train,  and  equip  so  they  can  take  full  advan¬ 
tage  its  potential. 

No  doubt  our  adversaries  have  recognized  the 
Army's  ever-growing  dependence  on  this  new  do¬ 
main.  Realizing  they  cannot  match  the  Army  force- 
on-force,  nation  states  and  terrorist  groups  alike 
are  aggressively  building  capacity  to  fight  us  in  the 
virtual  realm.  This  fact  foretells  a  future  in  which  no 
other  aspect  of  the  Army  will  experience  the  reality 
of  persistent  conflict  more  than 
the  LandWarNet.  It  additionally 
leads  to  cyberspace  becoming  a 
distinct  dimension  for  warfare 
in  its  own  right.  The  warfight¬ 
ers  and  leaders  of  the  U.S.  Army 
will  gain  a  significant  advantage 
if  it  can  defend  the  LandWarNet 
against  internal  and  external 
threats.  But  to  win  that  fight. 
Army  leaders  must  implement  a 
new  operational  approach  that 
echoes  proven  land  domain  con¬ 
cepts  in  an  abstract  cyber  battle 
space. 

(Continued  on  page  20) 


Cyberspace  is  a  doman  critical  to  mission  command  and  daily  operation.  Defending 
cyberspace  requires  the  same  combined  arms  approach  that  has  been  successfully 
used  in  other  aspects  of  military  and  domestic  operations. 


Army  Communicator 


19 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

2Qi2  2 • REPORT  TYPE 

3.  DATES  COVERED 

00-00-2012  to  00-00-2012 

4.  TITLE  AND  SUBTITLE 

A  combined  arms  approach  to  defending  Army  networks 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

U.S.  Army  Signal  Center  of  Excellence, Army  Communicator, Signal 

Towers  (Building  29808),  Room  713, Fort  Gordon, GA, 30905-5301 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

_ _ _  ABSTRACT 

18.  NUMBER  19a.  NAME  OF 

OF  PAGES  RESPONSIBLE  PERSON 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE  Same  OS 

unclassified  unclassified  unclassified  Report  (SAR) 

3 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


(Continued  from  page  19) 

The  success  of  American  warfighters  in  the  land 
domain  has  much  to  do  with  our  ability  to  apply 
elements  of  combat  power  at  the  time  and  place  of 
our  choosing.  The  application  of  combat  power 
requires  a  combined  arms  approach  that  integrates 
complementary,  yet  uniquely  different,  capabilities 
so  that  counteracting  one  makes  the  enemy  vulner¬ 
able  to  another.  ADP  3-0  provides  an  example  of 
this  approach  when  describing  how  commanders 
use  artillery  to  suppress  an  enemy  bunker  com¬ 
plex,  which  then  enables  an  infantry  unit  to  close 
with  and  destroy  the  enemy. 

Effectively  defending  the  LandWarNet  requires 
that  Army  warfighters  expand  our  notion  of  where 
combined  arms  must  be  conducted.  In  the  past. 
Army  leaders  viewed  the  LandWarNet  as  just  an 
enabler  to  more  efficiently  meet  information  re¬ 
quirements.  But  combat  power  needs  to  be  applied 
in  cyberspace  just  as  much  as  through  it.  Comple¬ 
mentary,  yet  uniquely  different,  cyber  capabilities 
across  network  build,  operate,  defend,  exploit, 
and  attack  functions  must  be  integrated  in  order  to 
find,  fix,  and  finish  threats  and  vulnerabilities  in¬ 
side  and  outside  the  network.  This  does  not  mean 
that  Army  warfighters  should  do  away  with  the 
primary  objective  of  fighting  and  winning  in  the 
land  domain  (successfully  defending  in  cyberspace 
must  lead  to  a  physical  outcome).  Instead,  Army 
warfighters  should  recognize  the  fact  that  com¬ 
manders  have  to  leverage  the  appropriate  capabili¬ 
ties  as  part  of  a  combined  arms  approach  in  cyber¬ 
space  similar  to  the  more  established  paradigm. 

Traditionally,  commanders  look  to  Signal  ele¬ 
ments  for  the  installation,  operation,  maintenance, 
and  defense  of  the  organization's  network.  The 
availability  of  the  network,  along  with  the  confi¬ 
dentiality  and  integrity  of  the  information  riding 
it,  are  assumed.  Vulnerability  alerts  and  network 
related  tasking  orders  circumvent  operations  chan¬ 
nels  and  are  pushed  down  through  more  technical 
channels.  Information  about  current  threat  tactics, 
techniques,  and  procedures  which  can  be  used  to 
proactively  implement  appropriate  countermea¬ 
sures  has  been  difficult  to  receive.  The  result  of 
this  has  been  reduced  situational  awareness,  no 
unity  of  effort,  and  networks  that  have  seen  their 
fair  share  of  exploits. 

The  idea  of  a  combined  arms  approach  to 
defend  the  network  establishes  a  working  environ¬ 
ment  which  enables  the  coordination,  integration, 
and  synchronization  between  the  operational  pro¬ 
cesses  performed  in  the  current  operations,  future 
operations,  and  plans  under  an  operations  section 
-  who  disseminate  and  oversee  the  execution  of  the 
commander's  priorities  -  with  the  unique  network 


operate  and  defensive  capabilities  provided  by  the 
Signal  element,  and  the  specialized  intelligence, 
surveillance,  and  reconnaissance  support  and  spe¬ 
cific  offensive  cyberspace  reach-back  capabilities 
provided  by  the  Intelligence  community.  All  this 
enhanced  by  other  information  related  capabilities 
such  as  inform  and  influence  activities  and  even 
knowledge  management.  Similar  to  the  combined 
arms  example  in  ADP  3-0  that  described  the  mutu¬ 
ally  supporting  efforts  of  Field  Artillery  and  Infan¬ 
try,  an  example  of  combined  arms  in  cyberspace 
would  be  the  use  of  Signal-related  capabilities  to 
disrupt  or  redirect  malicious  activity  away  from 
critical  net-enabled  mission  command  systems, 
which  then  allows  an  Intelligence-related  Crypto¬ 
logical  Support  Element  to  close  with  and  destroy 
the  enemy's  cyberspace  capabilities.  Expanding 
network  defense  operations  from  the  friendly  to 
adversary  box  increases  the  situational  awareness 
and  unity  of  effort  the  Army  lacks,  and  creates  an 
economy  of  force  that  ensures  commanders  can 
concentrate  network  defenders  when  and  where 
necessary. 

For  more  than  a  year  now,  leaders  in  the  Army 
Cyber  Command  Army  Cyberspace  Operations 
Integration  Center  at  Fort  Belvoir,  Va.  have  been 
utilizing  a  combined  arms  approach  to  defend  the 
LandWarNet  at  the  strategic-level.  Yet,  a  recent 
article  by  members  of  the  U.S.  Army  Mission  Com¬ 
mand  Center  of  Excellence  at  Fort  Leavenworth, 
Kan.  highlighted  that  to  some  degree,  a  combined 
arms  approach  is  already  taking  shape  at  the  op¬ 
erational  and  tactical-level  as  well.  The  soon-to-be- 
published  revisions  to  Field  Manual  3-36  Electronic 
Warfare  in  Operations  will  task  the  commander's 
EW  element  to  expand  and  use  the  EW  working 
group  to  facilitate  the  integration  of  what  Army 
leaders  call  Cyber  Electromagnetic  Activities. 

The  overarching  objective  of  CEMA  is  to  gain  an 
advantage,  protect  the  advantage,  and  place  the 
adversary  at  a  disadvantage  in  a  congested  and 
contested  cyberspace  and  electromagnetic  spec¬ 
trum.  However,  the  solution  is  intended  only  as  a 
bridge  until  the  Army  develops  a  more  appropri¬ 
ate  means  to  achieve  this.  Army  Cyber  Command 
leaders  and  the  MCCoE,  supported  by  leaders  from 
the  Signal  Center  of  Excellence  and  Intelligence 
Center  of  Excellence,  amongst  others,  are  working 
the  Army's  effort  to  determine  how  best  to  accom¬ 
plish  CEMA  integration  for  the  long  term. 

Current  plans  envision  CEMA  integrated  with¬ 
in  the  operations  process  via  the  Cyber-Electro¬ 
magnetic  Working  Group  (consisting  of  the  G/S-2, 
G/S-3,  G/S-6,  G/S-7,  and  others).  The  role  of  the 
working  group  will  be  to  integrate  and  synchro¬ 
nize  cyberspace  operations,  EW  and  EMSMO  to 
maintain  freedom  of  action  in  cyberspace  while  de- 


20  Fall -2012 


nying  our  adversaries  the  same, 
ultimately  to  achieve  the  com¬ 
mander's  operational  objectives. 
This  will  involve  unifying  the 
offensive  and  defensive  aspects 
of  cyber-electromagnetic  activi¬ 
ties  and  orienting  them  on  the 
commander's  intent.  To  this  end, 
the  working  group  serves  as  the 
source  of  cyber-electromagnetic 
situational  awareness  and  con¬ 
tinually  assesses  progress  toward 
desired  conditions. 

The  first  demonstration  of  the 
CEMA  concept  will  occur  during 
the  Network  Integration  Evalu¬ 
ation  (NIE)  13.1  (Oct-Nov  12)  at 
Fort  Bliss,  Texas.  Representa¬ 
tives  from  the  SigCoE,  Army 
Cyber  Command,  and  MCCoE 
have  already  worked  with  the 
organizations  supporting  the 
evaluation  (Brigade  Moderniza¬ 
tion  Command,  1st  Armor  Divi¬ 
sion,  and  2/1BCT)  to  determine 
the  appropriate  network  defense 
related  functions  that  will  be 
conducted  in  the  work  group  by 
representatives  from  the  S-6: 

•  Share  and  integrate  the  friend¬ 
ly  network  common  operating 
picture  with  information  on 
adversary  and  other  specified 
cyberspace  areas  in  order  to 
produce  overall  cyberspace  situ¬ 
ational  awareness 

•  Receive  and  request  intelligence 
information  from  the  S-2  in  refer¬ 
ence  to  potential  threats  and  as¬ 
sociated  threat  tactics,  techniques, 
and  procedures  utilized  against 
mission  command  networks  and 
systems 

•  Assess,  coordinate,  and  synchro¬ 
nize  changes  to  the  unit's  infor¬ 
mation  operation  condition  and 


overall  readiness  level 

•  Plan,  integrate,  and  synchronize 
network  defense  operations  into 
the  unit's  operations  processes  and 
scheme  of  maneuver 

•  Report  information  on  unauthor¬ 
ized  network  activity  to  be  inte¬ 
grated  with  other  possible  indica¬ 
tions  and  warnings 

•  Present  a  timely  and  accurate 
estimate  of  technical  impact  result¬ 
ing  from  the  threat  activity  and 
determine  detrimental  effects  to 
the  unit's  mission  assurance 

•  Plan,  coordinate,  and  synchro¬ 
nize  response  actions  to  threat 
activity  and  assess  risk  for  mission 
command  networks  and  systems 

•  Plan,  request,  and  coordinate 
the  implementation  of  network 
defense  capabilities  provided  by 
entities  external  to  the  unit 

•  Participate  in  the  after  actions 
review  of  an  incident  to  determine 
the  effectiveness  and  efficiency  of 
incident  handling 

•  Assist  in  the  prioritization  of 
CEM  effects  and  targets 

•  Deconflict  network  defense 
operations  with  unified  land  op¬ 
erations,  to  include  vulnerability 
assessments 

•  Support  CEM  TTP  development 

•  Assess  defensive  CEM  require¬ 
ments 

•  Provide  current  assessment  of 
network  defense  resources  avail¬ 
able  to  the  unit 

At  least  for  the  S-6,  integrat¬ 
ing  these  actions  within  the  work¬ 
group  alongside  complementary 
functions  from  the  S-3  and  S-2  will 
elevate  the  commander's  support, 
gain  access  to  information  that 
can  proactively  lead  to  the  imple¬ 
mentation  of  network  defense 


countermeasures,  minimize  risk 
by  leveraging  offensive  cyber  and 
intelligence  capabilities  to  address 
threats  for  which  no  organic  de¬ 
fensive  solution  exists,  and  achieve 
unity  of  effort.  Undoubtedly, 
lessons  learned  captured  during 
NIE  will  determine  if  the  functions 
stated  are  correct  in  fulfilling  these 
objectives. 

In  the  face  of  new  challenges, 
the  Army  is  indeed  losing  the 
fight  to  defend  the  confidentiality, 
integrity,  and  availability  of  the 
information  modified,  exchanged, 
and  stored  by  Army  networks  and 
information  systems. 

Recognizing  the  LandWarNet 
as  part  of  the  cyberspace  domain 
opens  the  doors  to  new  para¬ 
digms  and  methods  to  get  at  this 
problem.  The  Army's  strength 
in  the  land  domain  undoubtedly 
comes  from  its  ability  to  success¬ 
fully  integrate  complementary 
capabilities  as  part  of  a  combined 
arms  approach.  Defending  cyber¬ 
space  should  be  no  different.  The 
ACOIC  and  CEMA  concept  will  go 
a  long  way  in  making  combined 
arms  in  cyberspace  a  reality. 

Only  the  future  will  indicate  if 
Army  leaders  adapted  at  the  right 
time  and  pace  to  avoid  another 
painful  lesson. 

Russell  Fenton  presently  works  as 
Department  of  the  Army  Civilian  as 
the  Chief  of  the  Cyber  Cell,  TRADOC 
Capabilities  Management  Office 
Global  Network  Enterprise,  U.S. 

Army  Signal  Center  of  Excellence  at 
Fort  Gordon,  Ga.  He  is  a  retired  Sig¬ 
nal  and  Information  Systems  Manage¬ 
ment  (FA53)  officer  with  over  24  years 
of  combined  service. 


Acronym  QuickScan 


ACOIC  -  Army  Cyberspace  Operations  Integration 
Center 

CEMA  -  Cyber  Electromagnetic  Activities 

CONUS  -  Continental  United  States 

DoD  -  Department  of  Defense 

EMSMO  -  Electromagnetic  Spectrum  Management 

Operations 


EW  -  Electronic  Warfare 

GIG  -  Global  Information  Grid 

MCCoE  -  Mission  Command  Center  of  Excellence 

NIE  -  Network  Integration  Evaluation 

OCONUS  -  Outside  Continental  United  States 

TTP  -  Tactics,  Techniques,  and  Procedures 


Army  Communicator 


21 


